CVE-2020-25649

Summary

CVE	CVE-2020-25649
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-12-03 17:15:00 UTC
Updated	2023-11-07 03:20:00 UTC
Description	A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Risk And Classification

Problem Types: CWE-611

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Iotdb	All	All	All	All
Application	Fasterxml	Jackson-databind	All	All	All	All
Application	Fasterxml	Jackson-databind	All	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Application	Netapp	Oncommand Api Services	-	All	All	All
Application	Netapp	Oncommand Api Services	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Service Level Manager	-	All	All	All
Application	Netapp	Service Level Manager	-	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Agile Product Lifecycle Management Integration Pack	3.6	All	All	All
Application	Oracle	Banking Apis	19.1	All	All	All
Application	Oracle	Banking Apis	19.2	All	All	All
Application	Oracle	Banking Apis	20.1	All	All	All
Application	Oracle	Banking Apis	21.1	All	All	All
Application	Oracle	Banking Apis	All	All	All	All
Application	Oracle	Banking Platform	2.10.0	All	All	All
Application	Oracle	Banking Platform	2.6.2	All	All	All
Application	Oracle	Banking Platform	2.7.0	All	All	All
Application	Oracle	Banking Platform	2.7.1	All	All	All
Application	Oracle	Banking Platform	2.8.0	All	All	All
Application	Oracle	Banking Platform	2.9.0	All	All	All
Application	Oracle	Banking Treasury Management	4.4	All	All	All
Application	Oracle	Blockchain Platform	All	All	All	All
Application	Oracle	Coherence	12.2.1.4.0	All	All	All
Application	Oracle	Coherence	14.1.1.0.0	All	All	All
Application	Oracle	Commerce Platform	11.2.0	All	All	All
Application	Oracle	Commerce Platform	All	All	All	All
Application	Oracle	Communications Billing And Revenue Management	12.0.0.3.0	All	All	All
Application	Oracle	Communications Billing And Revenue Management	7.5.0.23.0	All	All	All
Application	Oracle	Communications Cloud Native Core Unified Data Repository	1.4.0	All	All	All
Application	Oracle	Communications Convergent Charging Controller	12.0.4.0.0	All	All	All
Application	Oracle	Communications Evolved Communications Application Server	7.1	All	All	All
Application	Oracle	Communications Instant Messaging Server	10.0.1.5.0	All	All	All
Application	Oracle	Communications Interactive Session Recorder	6.3	All	All	All
Application	Oracle	Communications Interactive Session Recorder	6.4	All	All	All
Operating System	Oracle	Communications Messaging Server	8.0.2	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Communications Network Charging And Control	12.0.4.0.0	All	All	All
Application	Oracle	Communications Offline Mediation Controller	12.0.0.3	All	All	All
Application	Oracle	Communications Pricing Design Center	12.0.0.4.0	All	All	All
Application	Oracle	Communications Services Gatekeeper	7.0	All	All	All
Application	Oracle	Communications Unified Inventory Management	7.4.1	All	All	All
Application	Oracle	Goldengate Application Adapters	19.1.0.0.0	All	All	All
Application	Oracle	Health Sciences Empirica Signal	9.0	All	All	All
Application	Oracle	Health Sciences Empirica Signal	9.1	All	All	All
Application	Oracle	Insurance Policy Administration	11.0.2	All	All	All
Application	Oracle	Insurance Policy Administration	All	All	All	All
Application	Oracle	Insurance Rules Palette	11.0.2	All	All	All
Application	Oracle	Insurance Rules Palette	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Orchestrator	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Primavera Gateway	18.8	All	All	All
Application	Oracle	Primavera Gateway	19.12	All	All	All
Application	Oracle	Primavera Gateway	20.12	All	All	All
Application	Oracle	Primavera Gateway	20.12.0	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Retail Service Backbone	14.1.3.2	All	All	All
Application	Oracle	Retail Service Backbone	15.0.3.1	All	All	All
Application	Oracle	Retail Service Backbone	16.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	16.0.6	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0.4	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	19.0.2	All	All	All
Application	Oracle	Retail Xstore Point Of Service	20.0.1	All	All	All
Application	Oracle	Sd-wan Edge	9.0	All	All	All
Application	Oracle	Utilities Framework	4.3.0.5.0	All	All	All
Application	Oracle	Utilities Framework	4.3.0.6.0	All	All	All
Application	Oracle	Utilities Framework	4.4.0.0.0	All	All	All
Application	Oracle	Utilities Framework	4.4.0.2.0	All	All	All
Application	Oracle	Utilities Framework	4.4.0.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Portal	12.2.1.4.0	All	All	All
Application	Quarkus	Quarkus	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
CVE-2020-25649 FasterXML Jackson Databind Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
1887664 – (CVE-2020-25649) CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)	MISC	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
`DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649] · Issue #2589 · FasterXML/jackson-databind · GitHub	MISC	github.com	Patch, Third Party Advisory
[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
[SECURITY] Fedora 32 Update: jackson-databind-2.10.5.1-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!		lists.apache.org
[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Patch, Third Party Advisory
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MISC	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178642 Debian Security Update for jackson-databind (DLA 2638-1)
375337 IBM Spectrum Control Multiple Vulnerability(6415993)
375483 Oracle Coherence April 2021 Critical Patch Update
730206 McAfee Web Gateway Multiple Vulnerabilities (WP-3792, WP-4003, WP-4021, WP-4058, WP-4067)
752129 SUSE Enterprise Linux Security Update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (SUSE-SU-2022:1678-1)
980328 Java (maven) Security Update for com.fasterxml.jackson.core:jackson-databind (GHSA-288c-cq4h-88gq)